1. Field of the Invention
The present invention relates generally to computing devices and software for malware protection. More specifically, it relates to protecting computing devices against malware threats from Web sites using a domain reputation database.
2. Description of the Related Art
Internet users are increasingly going to more and more Web sites for information, entertainment, and general “surfing.” Social networking sites have become very popular. Such sites provide diverse opportunities to interact with other users, but with such interactivity also comes increased risks of entering potentially harmful Web sites.
Hackers have come to realize that an efficient way to get their malware onto users' computers is to do so when users visit Web sites or more specifically when users go to specific pages of a site identified by a uniform resource locator (URL). This can lead to severe damage on the user's computer and the user's network, and can also lead to information leakage and identity theft. Web threat protection enables users to prevent unintentionally downloading or otherwise importing malware from Web sites. One way to implement Web threat protection is to prevent users from visiting potentially malicious Web sites. This may be done by utilizing Web Reputation technology. This technology involves domain reputation databases maintained by an anti-virus and Internet security service provider, such as TrendMicro, Inc. of Cupertino, Calif. These databases contain domain reputation histories for Web sites. The reputation database maintained by TrendMicro, for example, has data on 300 million domains and is continually growing.
An end user having Web threat protection is able to have URLs checked before the user is allowed to access the corresponding target Web site. The reputation of the URL is determined and, if above a certain threshold or score, access is granted to the user to visit the URL. If not, access to the site is simply blocked or the user is notified and provided with options. Not surprisingly, a domain reputation database may get search requests at a very high frequency, and traffic to and from the database (which is accessed over the Internet) is so high that there is often a latency in the time the user clicks on a link or types in a URL in a browser and the time she is allowed (or denied) access to the site. Each time a user wants to visit a Web site or URL, the database must be checked to determine the reputation of the site.
In current methodologies, the domain reputation database is checked twice for the same URL, leading to higher latency times and increasingly busy network traffic. In one scenario, end-point security software on a client computer in a network filters an HTTP request (that the client wants to send) to obtain a URL in the request. The URL is sent to the domain reputation database, which may be operated by an anti-virus service provider, to obtain information regarding to the URL. The database is searched using the URL and, if found, a rating or score is sent back to the client computer. If the rating is sufficiently high indicating that the Web site is considered safe, the security software on the client computer allows the HTTP request to be transmitted.
However, because the client is in a network, another device processes the request before it is transmitted on the Internet to the target Web site. The request is received by a gateway device in the network before it is forwarded. The gateway device, also having the same or similar security software as the client (supplied by the same service provider), performs a Web site reputation check on the URL in the same manner as the client computer. That is, a query is made to the same domain reputation databases using the same URL. This is because when it receives the HTTP request from the client computer, the gateway device does not know if a domain reputation check has already been done by the client or, if done, what the URL score was.
A rating is returned to the gateway and, if acceptable, the HTTP request is allowed to proceed to the Web site or it is dropped if the score is below a threshold. Thus, in this context, two queries are made to the reputation database with the same URL. In some cases, an HTTP request may have multiple URLs, in which case a request is sent for each URL. These online queries to the databases add cost to the service provider, which has to maintain the database servers and ensure that the high volume of URL queries is satisfied as quickly as possible and to the network entity (e.g., company, school, agency, etc.) in terms of latency and network traffic. The latency for the user at the client computer gets longer as the network traffic grows. As noted, a domain reputation database may have rating data on upwards of 300 million Web sites and may get about 2 billion queries a day, not including the constant updating of the database with new ratings and changes.
Traditional, scan-based security solutions alone do not provide effective protection from Web threats. Most URL-filtering and content-inspection solutions only protect by reacting to known threats. These are not efficient or effective means for Web threat protection. To effectively combat new and emerging Web threats, new Web site-reputation based solutions that reduce latency and network traffic are needed.